In Spring you can escape the html from JSP pages generated by <form> tags. This closes off a lot avenues for XSS attacks, and can be done automatically in three ways: For the entire application in the web.xml file: <context-param> <param-name>defaultHtmlEscape</param-name> <param-value>true</param-value> </context-param> For all forms on a given page in the file itself: <spring:htmlEscape … Read more
For people who still want an even more permissive posts, because the other answers were just not permissive enough, and they must work with google chrome for which * is just not enough: default-src * data: blob: filesystem: about: ws: wss: ‘unsafe-inline’ ‘unsafe-eval’ ‘unsafe-dynamic’; script-src * data: blob: ‘unsafe-inline’ ‘unsafe-eval’; connect-src * data: blob: ‘unsafe-inline’; … Read more
Here is a snippet that will remove all tags not on the white list, and all tag attributes not on the attribues whitelist (so you can’t use onclick). It is a modified version of http://www.djangosnippets.org/snippets/205/, with the regex on the attribute values to prevent people from using href=”https://stackoverflow.com/questions/16861/javascript:…”, and other cases described at http://ha.ckers.org/xss.html. (e.g. … Read more
When you set the text of an element using the text method, jQuery uses createTextNode internally, which escapes all special characters. From the jQuery docs: We need to be aware that this method escapes the string provided as necessary so that it will render correctly in HTML. To do so, it calls the DOM method … Read more
Unfortunately, almost no one of the participants ever clearly understands what are they talking about. Literally. Only Kibbee managed to make it straight. This topic is all about sanitization. But the truth is, such a thing like wide-termed “general purpose sanitization” everyone is so eager to talk about is just doesn’t exist. There are a … Read more
Escaping input is not the best you can do for successful XSS prevention. Also output must be escaped. If you use Smarty template engine, you may use |escape:’htmlall’ modifier to convert all sensitive characters to HTML entities (I use own |e modifier which is alias to the above). My approach to input/output security is: store … Read more
Never use escape(). It’s nothing to do with HTML-encoding. It’s more like URL-encoding, but it’s not even properly that. It’s a bizarre non-standard encoding available only in JavaScript. If you want an HTML encoder, you’ll have to write it yourself as JavaScript doesn’t give you one. For example: function encodeHTML(s) { return s.replace(/&/g, ‘&’).replace(/</g, ‘<’).replace(/”/g, … Read more
No. Putting aside the subject of allowing some tags (not really the point of the question), HtmlEncode simply does NOT cover all XSS attacks. For instance, consider server-generated client-side javascript – the server dynamically outputs htmlencoded values directly into the client-side javascript, htmlencode will not stop injected script from executing. Next, consider the following pseudocode: … Read more
Use htmlspecialchars($_POST[‘firstname’]) and htmlspecialchars($_POST[‘content’]). Always escape strings with htmlspecialchars() before showing them to the user.
I’ve created a module that bundles the Caja HTML Sanitizer npm install sanitizer http://github.com/theSmaw/Caja-HTML-Sanitizer https://www.npmjs.com/package/sanitizer Any feedback appreciated.